Open source good for security
The key to IT security is secure software – software that is written with not only features, but also security, in mind, says David Jacobson, technical director at Linux services company Synaq. However, says Jacobson, software is seldom developed with an eye on back-end security requirements. Developers are usually under pressure to deliver on required features within tight deadlines which leave little time to check for vulnerabilities each step of the way. The result is that most software is inherently vulnerable.
“It is unfortunate that many people – business executives as well as so-called security experts – believe that the implementation of one or two security products can address security issues. There cannot be a ‘one size fits all’ approach to security as each environment is different, with its own set of vulnerabilities. And some security products themselves contain flaws which increase a network’s vulnerability rather than reduce it,” he says.
“Indeed, if businesses are serious about security, they need to understand that the only way to truly check that they are secure is to view the code. That’s one of the reasons I believe open source software is the better option for companies where security is of the utmost concern. It’s not that open source is more secure, but rather the fact that you can view the code, see any vulnerabilities yourself and even fix if necessary if you have the skills to do so,” says Jacobson.
Jacobson recommends that before implementing any application, including a security product, users should check the “pedigree” of the product.
This would include determining whether any vulnerabilities or flaws had been detected in the product; and how well or quickly the vendor had responded to these reports. Most of this information is to be found on websites like www.securityfocus.com, a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the global IT security community.
“The SecurityFocus Vulnerability Database, for example, delivers an invaluable service by providing security professionals with the most up-to-date information on vulnerabilities for all platforms and services. Another SecurityFocus service is BugTraq, a high volume, full disclosure mailing list for the detailed discussion and announcement of computer security vulnerabilities. BugTraq is, without doubt, the cornerstone of the Internet-wide security community,” he adds.